On 2015-05-05 15:03, Yann Ylavic wrote: > On Thu, Apr 30, 2015 at 11:52 PM, William A Rowe Jr <[email protected]> > wrote: >> >> Concerns / observations / thoughts? > > I'd like to propose those 2.4.x CHANGES (r1542327+r1569005+r1542327) > for backport to 2.2.x (in reverse order): > > *) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer > larger keys and support up to 8192-bit keys. [Ruediger Pluem, > Joe Orton] > > *) mod_ssl: Improve handling of ephemeral DH and ECDH keys by > allowing custom parameters to be configured via SSLCertificateFile, > and by adding standardized DH parameters for 1024/2048/3072/4096 bits. > Unless custom parameters are configured, the standardized parameters > are applied based on the certificate's RSA/DSA key size. [Kaspar Brand] > > *) mod_ssl, configure: Require OpenSSL 0.9.8a or later. [Kaspar Brand] > > *) mod_ssl: drop support for export-grade ciphers with ephemeral RSA > keys, and unconditionally disable aNULL, eNULL and EXP ciphers > (not overridable via SSLCipherSuite). [Kaspar Brand] > > or at least partly. >
Perhaps it is also a good time do kick SSLv2 support from 2.2.x ;)
